Privacy Policy

1. Information We Collect

• Account Information: Name, email, phone number, language preference.
• Location Data: GPS coordinates processed for navigation and unlocking cultural stories. Stored only as coarse city + hashed unlock proof, not continuous tracking.
• Usage Data: Interactions, badges unlocked, reports submitted, crash logs, and device signals for anti-abuse.
• User-Generated Content: Stories, reviews, or photos you share in-app.
• Optional Data: Preferences you set (e.g., dark mode, language, notifications).

2. How We Use Your Information

• Operate and improve the Service (navigation, unlocks, rewards).
• Ensure cultural sensitivity, safety, and scam-prevention.
• Detect and prevent fraud, abuse, or GPS spoofing.
• Provide support, respond to reports, and resolve incidents.
• Send service-related notifications (updates, downtime, material changes).
• With your consent, send optional marketing or event communications.

3. Legal Basis & Consent

We process personal data on the basis of:

• Performance of contract (providing the Service you requested).
• Compliance with legal obligations (DPDP, audits, grievance handling).
• Legitimate interests (fraud detection, cultural harm prevention).
• Your explicit consent for optional data uses (marketing, analytics).

You can withdraw consent anytime via in-app settings or by contacting us.

4. Minors & Families

MileTale is intended for users 16+. Under India’s DPDP Act, users under 18 are treated as children and require verifiable guardian consent to use certain features. We do not knowingly collect or profile data from minors without consent.

5. Data Retention

• Unlock proofs & logs: retained ≤ 18 months.
• Support tickets & reports: retained ≤ 24 months.
• Analytics data: anonymized and aggregated.
• Earlier deletion when not needed for legal or safety purposes.

6. Data Sharing & Partners

We do not sell personal data. We may share limited data with:

• Service Providers: Hosting, analytics, or support providers under contractual safeguards.
• Partners: Only what is required to verify a reward redemption (e.g., QR scan validity). Partners cannot request additional personal data.
• Legal Authorities: Where required by law, regulation, or safety.

7. Security

• TLS encryption in transit; AES encryption at rest.
• Least-privilege access controls and periodic reviews.
• Secret rotation; no client-side hardcoded secrets.
• Incident response playbook: contain, assess, notify within 72h if required.

8. Your Rights

Under India’s DPDP Act, you have the right to:

• Access your personal data.
• Request correction of inaccurate data.
• Request deletion of your account/data (subject to legal exceptions).
• Withdraw consent at any time.
• File a grievance with our Grievance Officer.

Requests will be addressed within 30 days. Some data may be retained to comply with law or detect fraud.

9. Changes to this Policy

We may update this Privacy Policy to reflect operational, legal, or regulatory needs. Updates will be posted here with a new "Last Updated" date. For material changes, we may notify you in-app or by email. Continued use after the effective date means you accept the updated Policy.

10. Contact Us